The University Hospital of South Manchester NHS Foundation Trust has been criticised by the information commissioner’s office (ICO) after the personal details of 87 patients was lost.
The data breach happened when a student on placement at the Trust copied the data onto a personal, unencrypted memory stick for research purposes. The ICO says the memory stick was subsequently lost in December last year.
Crucially, the Hospital assumed the student had been given data protection training at medical school and therefore did not train her the way it does for its own staff. The Trust has agreed to make sure all students working there are made aware of data protection policies.
"This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature," said Sally Anne Poole, acting head of enforcement.
"Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job," she added.
"At a time when so many new doctors will be joining the ranks of the NHS, this story is hardly encouraging," said Mark Fullbrook, director, UK and Ireland at Cyber-Ark. "The NHS holds arguably the most sensitive of our personal information and at the very least we expect it to protect this data adequately and to train its staff, and indeed anyone it works with, to treat this information with the respect it deserves."
"In this case, it is particularly disappointing that it was simply assumed that the student had received data protection training. Given the importance and sensitivity of the information in question, this should have been checked properly and addressed immediately," he said.
Marc Lee, EMEA sales director at Courion, said the breach was entire avoidable. "The latest NHS data security breach highlights the need for organisations to better understand internal security risk and data vulnerabilities," he said. "Enforcing strict access rights management will help organisations control not only who is accessing sensitive data, but also how this information is being used, and who is entitled to copy confidential data on personal devices such as unencrypted USBs."
"This will inevitably minimise the risk of inappropriate data use and will help organisations ensure that only the right people have access to the right information and are using it in the right way," Lee added.
In a separate case the ICO also criticised the London Ambulance Service, after a personal laptop containing contact details and transport requirements relating to 2,664 patients was stolen from a contractor’s home.
The ICO recently warned the NHS it must improve data security at the organisation and that negligence had become a part of its nature.
"The policies and procedures may already be in place but the fact is that they are not being followed on the ground," he said. "Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number."